**New Windows exploit using malicious images**

chaos386

.sa = bad driver!
Joined
Nov 8, 2004
Messages
7,960
Location
Back in Saudia
Car(s)
SEAT Leon FR
There's a new exploit going around that allows a malicious user to compromise your computer just by having your browser load an image:

http://www.microsoft.com/technet/security/advisory/912840.mspx

The official fix from MS won't be out until the 10th, so just be careful until then. This definitely affects IE, and it may affect Firefox too (since it's an exploit of the OS, not just the browser).
 

Viper007Bond

Chicken Nugget Connoisseur
STAFF MEMBER
Joined
Sep 21, 2003
Messages
31,044
Location
Portland, Oregon
Car(s)
2008 Dodge Viper, 2006 MB CLS55 AMG
Yeah, my dad sent me this earlier today. Good times.
 

hajj

Well-Known Member
Joined
Mar 29, 2005
Messages
2,950
Location
Hamburg
My virus scanner recognizes the images so I am not that worried, but why to they take so long to fix it?
 

jensked

Well-Known Member
Joined
Mar 31, 2005
Messages
4,053
hajj said:
My virus scanner recognizes the images so I am not that worried, but why to they take so long to fix it?

how do you know?
 

Lusitano

Active Member
Joined
Apr 4, 2005
Messages
293
Location
Antes, Mealhada, Portugal
Car(s)
SIS Sachs Motozax V5
Software Security Incident Response Process (SSIRP)
:lol:

Bill is such a funny guy!
 

hajj

Well-Known Member
Joined
Mar 29, 2005
Messages
2,950
Location
Hamburg
jensked said:
hajj said:
My virus scanner recognizes the images so I am not that worried, but why to they take so long to fix it?

how do you know?

I found a safe exploit that starts the calculator if you are vulnerable and as soon as the image gets on my pc, the virusscanner recognizes it.
Found it on a German securiety website. Anyone interested?
 

oliB

Well-Known Member
Joined
Jan 14, 2004
Messages
1,391
Location
Germany
hajj said:
jensked said:
hajj said:
My virus scanner recognizes the images so I am not that worried, but why to they take so long to fix it?

how do you know?

I found a safe exploit that starts the calculator if you are vulnerable and as soon as the image gets on my pc, the virusscanner recognizes it.
Found it on a German securiety website. Anyone interested?
:wave:
 

bihus

Well-Known Member
Joined
Dec 7, 2003
Messages
4,618
Location
Portugal
Car(s)
BMW 330Cd
oliB said:
hajj said:
jensked said:
hajj said:
My virus scanner recognizes the images so I am not that worried, but why to they take so long to fix it?

how do you know?

I found a safe exploit that starts the calculator if you are vulnerable and as soon as the image gets on my pc, the virusscanner recognizes it.
Found it on a German securiety website. Anyone interested?
:wave:
 

jensked

Well-Known Member
Joined
Mar 31, 2005
Messages
4,053
No we're not interested, we'd rather have our hard drives erased.

Of course we're interested, share share share !
 

jensked

Well-Known Member
Joined
Mar 31, 2005
Messages
4,053
^ Norton intervenes when i click on that link...i suppose that's good?
 

BerserkerCatSplat

Hormone Induced
Joined
Jun 21, 2005
Messages
9,711
Location
Alberta, Canada
Car(s)
The Jeep of Theseus, Angry Wagon
swek said:

AV programs will block that specific file, not the security vulerability. That file should not be used to test if your system is secure, because a real exploiting file will saunter right past AV software.

All one has to do is modify the payload to, say, install something that steals all your passwords and change the fields in the wmf header to something random/generic and it'll be totally blind to it.
 

chaos386

.sa = bad driver!
Joined
Nov 8, 2004
Messages
7,960
Location
Back in Saudia
Car(s)
SEAT Leon FR

oliB

Well-Known Member
Joined
Jan 14, 2004
Messages
1,391
Location
Germany
chaos386 said:
swek said:
Click here if you want to check your system: http://www.heise.de/security/dienste/browsercheck/demos/ie/wmfexp2.php

3rd party hotfix if you want to take the risk (Some known incompatibilities with network and print equipment). http://216.227.222.95/
When I try to open that file, Data Execution Prevention closes it! I :heart: my Athlon 64!!! ^_^
When I do it, the calculator starts! Crap, I thought Trend Micro Pc-Cillin was supposed to be the best Anti-Vir prog around? :thumbsdown:

EDIT: I'm currently using PC-Cillin 2005, looks like I can't update it anymore since the 2006 version was released. I might have to acquire the new version. ;)
 

fbc

Retired Moderator
Joined
Jan 8, 2005
Messages
11,802
Location
Melbourne, Australia
Car(s)
2006 MY07 Astra SRi Turbo
oliB said:
When I do it, the calculator starts! Crap, I thought Trend Micro Pc-Cillin was supposed to be the best Anti-Vir prog around? :thumbsdown:

Me too :( AVG isn't blocking it
 

hajj

Well-Known Member
Joined
Mar 29, 2005
Messages
2,950
Location
Hamburg
BerserkerCatSplat said:
swek said:

AV programs will block that specific file, not the security vulerability. That file should not be used to test if your system is secure, because a real exploiting file will saunter right past AV software.

All one has to do is modify the payload to, say, install something that steals all your passwords and change the fields in the wmf header to something random/generic and it'll be totally blind to it.

Yes true a little variation makes a big difference. i hope the fix will really come on monday.
 

chaos386

.sa = bad driver!
Joined
Nov 8, 2004
Messages
7,960
Location
Back in Saudia
Car(s)
SEAT Leon FR
I'd just like to let everyone know that if you have an Athlon 64 and installed SP2 for Windows XP, you can enable Data Execution Prevention, which protects you from this exploit (apparantly) and from other buffer overrun exploits.
 
Top